Jeff Krebs wrote, On 12/04/2007 08:00 PM:
* Todd Denniston (Todd.Denniston@xxxxxxxxxxxxxxxxxx) wrote:
From what I understood, the change to openssh listed in:
rpm -q --changelog openssh |less
as:
"* Wed Jun 20 2007 Tomas Mraz <tmraz@xxxxxxxxxx> - 4.5p1-7
- experimental NSS keys support
- correctly setup context when empty level requested (#234951)
"
was supposed to allow the Common Access Card (CAC) to work with the shipped
Fedora 8 ssh.
As per NSS usual, everything is undocumented, i.e., `ssh-add --help` does
not help at all, and `man ssh-add` points to `ssh-add -s reader`
# ssh-add -s 0
Enter passphrase for smartcard:
SSH_AGENT_FAILURE
Could not add card: 0
# ssh-add -s 1
Enter passphrase for smartcard:
SSH_AGENT_FAILURE
Could not add card: 1
So does anyone know how to use the possible functionality, or are we
reduced to reading the source?
There is a link:
http://www.nabble.com/ssh-and-CAC-t2483281.html
Look at the next to the last email in that thread... yep that's me.
with some information.
You have the SmartCard setup working under Linux?
Yes, well _had_ in FC[1457].
https://bugzilla.redhat.com/show_bug.cgi?id=186469#c8
But Red Hat believes that known to be working (and documented) solutions are bad:
https://bugzilla.redhat.com/show_bug.cgi?id=186469#c11
so they tried to put their buggered up (my opinion) NSS solution in FC8 ssh
instead.
(I will comment more on this when I get done doing minimal testing on Alon's
patches to
http://www.openvpn.net
http://gnupg-pkcs11.sourceforge.net/
As we (DoD) need all of these to work, and apparently Alon has had them
working for over a year now, considering the date on the mail you pointed to.
At least the twists they did to pam_pkcs11 worked, even if they did not update
the documentation to explain how to make it work. I was fortunately on another
mailing list where someone had posted a quick how to get it to sort of work.)
My real problem here is that I am trying to work with what the distribution
has (RH's NSS), instead of dropping back and punting Alon and my patches into
yet another version of the distro which would mean I have to support it each
time a new fedora ssh patch is released.
What reader are you using? I've tried the ActiveCard v2.0 USB to no
avail. Actually, this is known not to work, but I had to try anyway :)
SCM SCR331 firmware 5.18
there is newer firmware that makes the SCR331 perform full length CCID
transfers (needed for the PIV applet), and I intend to update the whole batch
we have after I test a few.
BTW IIRC the ActiveCard v2.0 USB can be updated with the SCR firmware to
effectively make it act as an SCR, or so I have read, YMMV. I highly suggest
researching the change before doing it though, and I think at ~$20 a new
SCRx31 or gemplus reader are easier to deal with. (So I suppose if you
consider the ActiveCard reader a door stop anyway, you would not loose
anything if you burn it out in the attempt to update the firmware).
I should have an Athena USB reader coming my way soon. Hopefully that
will allow use with FireFox.
Assuming Athena USB reader is CCID Compliant
http://pcsclite.alioth.debian.org/ccid.html#CCID_compliant
then at least the CAC, through pcscd and CoolKey can be made to work with
pam_pkcs11 and Mozilla products.
Hope this helps you.
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter